Memo of Meeting
Date: March 7, 2001
Location: 1350 Piccard Drive
Rockville, MD
Subject: 21 Code of Federal Regulations, Part 11; Electronic Records; Electronic Signatures
Representing Wimmer Systems, Inc.:
Mr. Derek Wimmer, President
Representing FDA:
Mr. Paul Motise, Consumer Safety Office, Office of Enforcement
Ms. Christine Nelson, Consumer Safety Officer, Office of Health and Industry Programs, Center for Devices and Radiological Health
Mr. Mark Hackman, Consumer Safety Officer, Center for Food Safety and Applied Nutrition
Mr. Stewart Crumpler, Regulatory Officer, Center for Devices and Radiological Health
Mr. Tom Chin, Consumer Safety Officer, Office of Enforcement
Ms. Denise Dion, Investigator, Office of Regional Operations
The meeting was held at Mr. Wimmer’s request to familiarize FDA with his company’s software that is intended to modify Microsoft Excel to include part 11 compliant features. The features include use of electronic signatures, signature manifestations, and audit trails.
At the start of the meeting we explained that FDA doesn’t approve/disapprove part 11 products and services and that our comments should not be taken as formal FDA review. We commented that we were interested in knowing about available enabling technologies, including add-ons to existing systems that lack certain part 11 technical features.
Background:
By way of background, Mr. Wimmer explained that Wimmer Systems is a small software producer, a firm he and his wife founded. Mr. Wimmer explained that prior to starting the company he had about six years of experience working in the quality control lab of a major pharmaceutical producer. He said his wife has similar experience in that industry and that his firm therefore has a good understanding of FDA CGMP/GLP requirements. Mr. Wimmer is familiar with part 11 and said he saw an opportunity to develop applications that add audit trails and other part 11 features to programs widely used in FDA regulated companies. He commented that he sees similar opportunities in industries regulated by the Environmental Protection Agency and that he met with EPA representatives shortly before the current meeting with us.
Wimmer Applications:
Mr. Wimmer explained that his firm’s first application is intended to work with MS Excel (versions 97 and 2000); the primary feature is audit trailing of spreadsheets. He said he has developed a stable prototype and expects to release a beta version in a few weeks, with a commercial release to ensue in a few months. The program is intended for use on stand-alone computers, not networked implementations. Mr. Wimmer said that if the product turns out to be viable, he will develop similar add-on audit trail software for other MS Office applications like MS Word. He said that about 100 pharmaceutical firms have expressed interest in his program.
Mr. Wimmer said that he designed the software based on code interface modules (such as a cryptographic application interface) that Microsoft makes available; he explained that the code for Windows 95 and 98 is available as plug ins and the code for Windows NT is already built in. He commented that regulated firms may not be aware of this. He commented that in the future he may use XML to capture the audit trail.
Mr. Wimmer explained that the program, DaCSÔ , creates an audit trail of each spreadsheet in a workbook, and provides for digital signatures under the RSA model; the program generates digital signature keys and end user companies can issue their own digital certificates. Creation, modification and deletion of spreadsheet cells are covered by the audit trail, which itself is presented as a worksheet that is part of the workbook.
The audit trail feature may be turned off before, but not in the middle of, a session in which a workbook is prepared. If the workbook is prepared without the audit trail activated, it would lack the audit trail spreadsheet. An audit trailed workbook that is transported to another computer that lacks the firm’s program could not be altered.
The audit trail records the date and time, the operator’s identification and printed name, and the nature of the operation (e.g., creation/modification of cell data and objects.) The audit trail does not capture changes in formatting, such as font style, comments, and pictures. Mr. Wimmer explained that the system is intended to focus on data and formulas. When an operator makes a number of changes to the same cell during a given session (e.g., if the operator makes mistakes and then corrects them) before "committing" the workbook by saving it, the audit trail captures only the last entry made. A saved workbook is protected so that it can’t be altered outside the audit trail software.
Early versions of the program required the operator to record the reason for making a change. Mr. Wimmer said this feature will be configurable in the final version so that operators would not have to enter the reason for making a change. The audit trail can be "replayed" to show the history of changes.
The program applies the signer’s digital signature to the entire workbook. Operators enter id codes/passwords to apply digital signatures. The program can be configured regarding password length, dictionary challenge, and reuse.
During the meeting Mr. Wimmer demonstrated the product on a laptop computer. He showed how the software implements audit trails. He briefly explained the basic architecture of how the software integrates with MS Excel. (An overview document is attached to this memo.)
We asked if the audit trail would transfer with the workbook under applications that copied the files to Palm platform devices. Mr. Wimmer said it would not, but that he would look into this application.
Validation:
Regarding validation, Mr. Wimmer said he has validated his application, but could only verify the MS Excel program. He commented that he saw no performance changes in the spreadsheet itself, as a result of having his program active. We asked if his firm would permit customers to audit their operations as part of the validation effort. He said yes.
The meeting concluded after about two hours.
cc:
Part 11 dockets
HFC-200
HFA-224
FDA Part 11 Committee members
Doc ID WimmerSystemsMemo of Meeting030701.doc
P. Motise 03/14/01